GDPR divides personal data into 3 categories; general personal data, sensitive personal data and details of criminal offences.
How to process and store data depends on the type of personal data.
The following information is sensitive personal data:
Personal data that does not fall under the category of ‘sensitive personal data’ can be referred to as ‘general/ordinary personal data’.
Ordinary personal data may include personal identification details such as name and address, customer relationships, personal finances, tax-related matters, debts, sick days, work-related circumstances, family circumstances, residence, car, qualifications, applications, CV, date of employment, position, area of work, work phone, key data: name, address, date of birth, IP address or other similar non-sensitive information.
Details of criminal offences may be information that a person has committed a particular offence, but it may also be e.g. information that a person is serving a prison sentence. In other words, details of criminal offences are information which can be used to deduce that a person has committed a criminal offence. Rules for the processing of information concerning criminal offences are not laid down in the regulation, but will be determined in the individual countries.
Source: The Danish Data Protection Agency